PowerPoint Presentation - Cloud Security Alliance
advertisement
Trusted Cloud Initiative Work Group Session Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Use Case End User to Cloud Enterprise to Cloud to End User Enterprise to Cloud Description Applications running on the cloud and accessed by end users Applications running in the public cloud and accessed by employees and customers Cloud applications integrated with internal capabilities Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Define protections that enable trust in the cloud. Develop cross-platform capabilities and patterns for proprietary and open-source providers. Will facilitate trusted and efficient access, administration and resiliency to the customer/consumer. Provide direction to secure information that is protected by regulations. The Architecture must facilitate proper and efficient governance, identification, authentication, authorization, administration and auditability. Centralize security policy, maintenance operation and oversight functions. Access to information must be secure yet still easy to obtain. Delegate or Federate access control where appropriate. Must be easy to adopt and consume, supporting the design of security patterns. The Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-landlord platforms The Architecture must address and support multiple levels of protection, including network, operating system, and application security needs. Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Use the breadth of the Cloud Security Alliance Adjacent initiatives will be a focus for the TCI mandate Built upon “pillars” from the Cloud Security Alliance Provide an end-to-end security specification for cloud security Use the depth of the Cloud Security Alliance membership Members have credibility from the top of the application to the “bare metal” GRC and interoperability Enable a vendor neutral reference architecture specification All vendor products that enable an end-to-end security platform will be used Provide a exemplary reference set of implementations Global examples so that any country can implement the architecture to their requirements Show examples of standards and how they can be implemented across products Open source initiative Where the TCI supports implementation under its direction the implementation is open source Note: The TCI Reference Architecture is not the same as the Cloud Computing Architectural Framework (Domain 1 of the Security Guidance for Critical Areas of Focus in Cloud Computing V2.1) Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org CSA Controls Matrix Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org CSA Controls Matrix Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Business Operation Support Services Information Technology Operation & Support Presentation Services Security and Risk Management Application Services Information Services Infrastructure Services (SABSA) (ITIL) (TOGAF) Copyright © 2011 Cloud Security Alliance (Jericho) www.cloudsecurityalliance.org Reference Architecture Version 2.0 (pending changes) Guiding Principles q Define protections that enable trust in the cloud. q Develop cross-platform capabilities and patterns for proprietary and open-source providers. q Will facilitate trusted and efficient access, administration and resiliency to the customer/consumer. q Provide direction to secure information that is protected by regulations. q The Architecture must facilitate proper and efficient identification, authentication, authorization, administration and auditability. q Centralize security policy, maintenance operation and oversight functions. q Access to information must be secure yet still easy to obtain. Business Operation Support Services (BOSS) Information Technology Operation & Support (ITOS) Presentation Services Presentation Modality Consumer Service Platform q Delegate or Federate access control where appropriate. q Must be easy to adopt and consume, supporting the design of security patterns Compliance q The Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-landlord platforms q The architecture must address and support multiple levels of protection, including network, operating system, and application security needs. Audit Planning Independent Audits High Level Use Cases Third-Party Audits Internal Audits Information System Regulatory Mapping Intellectual Property Protection Data Classification Handling / Labeling / Security Policy Rules for Information Leakage Prevention Clear Desk Policy Plan Management Test Management Architectrure Governance PMO Operational Risk Management Program Mgmnt Project Mgmnt Segregation of Duties Contractors Employee Termination Background Screening Roles and Responsibilities Business Continuity Planning Testing Risk Management Framework Business Technical Assessment Assessment Employment Agreements Job Descriptions Employee Awareness Event Correlation Database Monitoring Cloud Monitoring Application Monitoring E-Mail Journaling Honey Pot Market Threat Intelligence SOC Portal Managed Security Services Knowledge Base Branding Protection Real-time internetwork defense (SCAP) Contracts E-Discovery Incident Response Legal Preparation P2P Objectives Internal SLAs OLAs External SLAs Vendor Management End-Point Monitoring Service Costing Application Services Programming Interfaces Application Performance Monitoring Forensic Analysis e-Mail Journaling Capacity Planning Software Management Automated Asset Discovery Configuration Management Physical Inventory Event Classifiation Root Cause Analysis Ticketing Trend Analysis Problem Resolution Benchmarking Security Job Aids Security FAQ TOGAF Approval Workflow Planned Changes Project Changes Operational Chages Change Review Board Emergency Changes Release Management Connectivity & Delivery Risk Dashboard Authentication Services Configuration Management Database (CMDB) SAML Token Risk Based Multifactor Auth Smart Password OTP Card Management Biometrics Network Authentication Single Sign On Middleware WS-Security Authentication Federated IDM Attribute Provisioning Dashboard Data Mining Reporting Tools Business Intelligence PMO Strategy Roadmap Data Governance Recovery Plans Problem Incident Management Management Knowledge Session Events Authorization Events Authentication Events Application Events Network Events Change Logs GRC RA BIA DR & BC Plans VRA TVM Data Classification Process Ownership Audit Findings HR Data (Employees & Contractors) Business Strategy User Directory Services NIPS Events ACLs CRLs Compliance Monitoring NIPS Events DLP EVents Privilege Usage Events Active Directory Services LDAP Repositories eDiscovery Events Registry Services Location Services DBMS X.500 Repositories Repositories Federated Services Vulnerability Management Network Application Virtual Directory Services DB Threat Management Risk Taxonomy Infrastructure Protection Services End-Point Anti-Virus, Anti-Spam, Anti-Malware Media Lockdown Behavioral Malware Prevention Content Filtering Inventory Control DPI Host Firewall HIPS /HIDS Behavioral Malware Prevention Hardware Based Trusted Assets Network Meta Directory Services Infrastructure Source Code Scanning External Behavioral Malware Prevention White Sensitive File Listing Protection AntiHIPS / Host Virus HIDS Firewall Firewall Transformation Services Database Events Change Password Vaulting Resource Protection Hypervisor Governance and Compliance Server Computer Events Data Segregation Risk Management Risk Assessments Management Servers Internal Management Management HIPS Knowledge Repository Keystroke/Session Logging Privilege Usage Gateway Penetration Testing BOSS Security Monitoring Service NonProduction Data Information Leakage Metadata Service Events Privilege Usage Management Threat and Vulnerability Management Databases ITOS OTB AutN Identity Verification Out of the Box (OTB) AutZ Abstraction Forensic Tools Content Filtering White Listing Application NIPS / Wireless NIDS Protection Link Layer Network Security Black Listing Filtering XML Applicance Application Firewall Secure Messaging Secure Collaboration Real Time Filtering Data Protection Data lifecycle management Internal Infrastructure Facility Security Controlled Physical Access Barriers Electronic Surveillance Physical Authentication Asset Handling Data Software Equipment Location Patch Management Storage Services Power Redundancy Network Services Network Segmentation Servers eSignature Virtual Infrastructure Desktop “Client” Virtualization Image Management Storage Virtualization <<insert Jairo’s content> Block-Based Virtualization Remote Secure Build Local SessionBased Compliance Monitoring Host-Based VM-Based (VDI) LDM Equipment Maintenance Availability Services Authoritative Time Source Storage DeviceBased LVM LUN Service Discovery Hardware Environmental Risk Management Physical Security Meta Data Control Infrastructure Services Scheduling Testing Version Control Build Source Code Management Capability Mapping Risk Portfolio Management Residual Risk Management Entitlement Review Policy Policy Definition Enforcement Principal Data Policy Management Mangement Resource Data XACML Management Role Obligation Management Security Application Framwrok - ACEGI Reporting Services OLAs SLAs Orphan Incident Management Change Management Data Code Samples Stress and Volume Testing Service Delivery Security Patrols Service Provisioning IT Risk Management Problem Management Automated Ticketing Trend Analysis Self Assessment Audit Management Compliance Testing Configuration Rules (Metadata) Knowledge Management Best practices Process or Solution Attack Patterns CMDB Cross Cloud Security Incident Response ITIL v3 Application Vulnerability Scanning Security Code Review Contracts Service Support Policy Management Exceptions Domain Unique Identifier Identity Provisioning Software Quality Assurance Service Support User Behavior & Profile Patterns Vendor Management Identity Management Integration Middleware Development Process Risk Assessments Anti-Phishing Compliance Management InfoSec Management Authorization Services Security Design Patterns Self-Service Service Catalog Investment Budgeting Self-Service Container Security Knowledge Lifecycle Input Validation Resiliency Analysis Counter Threat Management Internal Investigations Secure Sandbox Information Services Operational Bugdeting Charge Back Handwriting (ICR) Smart Appliances Capacity Planning Service Dashboard Security Incident Response SABSA Medical Devices Fixed Devices Governance Risk & Compliance Privilege Management Infrastructure Strategy Alignment Availability Management Incident Management Domain e-Readers Public Kiosk Roadmap Configuration Management Legal Services E-Mail Third-Party Standards and Guidelines Information Technology Resiliency Asset Management Security Monitoring Services Event Mining Search Portable Devices Employee Code of Conduct Independent Risk Management SIEM Platform B2B Service Delivery Service Level Management Business Crisis Management Impact Analysis Key Risk Indicators B2C Colaboration Speech Recognition (IVR) Desktops Company owned Technical Awareness and Training Maturity Model Remediation Human Resources Security Operational Risk Committee B2M Portfolio Management Rules for Data Retention SaaS, PaaS, IaaS B2E Mobile Devices Mobile Device Management IT Governance Resource Management Data Governance Data Ownership / Stewardship Secure Disposal of Data DRP End-Points Enterprise Service Platform Social Media IT Operation Contact/Authority Maintenance Security and Risk Management Presentation Platform Application Virtualization End Point Client Application Streaming Server Application Streaming Virtual Workspaces Network Hardware-Assisted TPM Virtualization Virtual Memory Data Discovery Network End-Point Server (Data in Transit) (Data in Use) (Data at Rest) External (VLAN) Internal (VNIC) Data Masking Data Tagging Data Obscuring Data Seeding Intellectual Property Protection Intellectual Property Digital Rights Management Cryptographic Services Signature PKI Key Management Services Symmetric Keys Virtualizaton Network Address Space Virtualization IPv4 IPv6 Paravirtualization Data Loss Prevention Switched File-Based Virtualization Server Virtualization OS VIrtualization Appliance Vertical Isolation Virtual Machines (Hosted Based) Full Network-Based (Unstructured data) Data De-Identification Life cycle management Asymmetric Keys Mobile Device Virtualization Data-in-use Encryption (Memory) Data-at-Rest Encryption (DB, File, SAN, Desktop, Mobile) (Transitory, Fixed) Database Virtualization Policies and Standards Operational Security Baselines Smartcard Virtualization Data-in-Transit Encryption Information Security Policies Job Aid Guidelines Technical Security Standards Role Based Awareness Data/Asset Classification Best Practices & Regulatory correlation JERICHO Copyright © 2011 Cloud Security Alliance Chief Architect: Jairo Orea Lead Architects: Marlin Pholman, Yaron Levi, Dan Logan. Team: David Sherr, Richard Austin , Vern Williams, Anish Mohammed, Harel Hadass, Phil Cox, Yale Li, Price Oden, Tuhin Kumar, Rajiv Mishra, Ravila Whit Scott Matsumoto, Rob Wilson, Charlton Barreto, Ryan Bagnulo, Subra Kumaraswamy. Date: 07/20/2011 Revision: 12th Review www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Roadmap • Control Mapping • Operational Checklists • Capability mapping • Strategy alignment • Use Cases (OSA) Assess the opportunity • Security Patterns • Guidelines • Vendor Certification Reuse BOSS ITOS Presentation SRM Application Information CSA Controls Matrix CSA Consensus Assessment Infrastructure Reference Architecture Copyright © 2011 Cloud Security Alliance Security Framework and Patterns www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
